ge-ds-242-poe managed ethernet switch user...

GE Security

P/N 1069174 • REV 1.0 • ISS 22FEB10

GE-DS-242-PoE Managed Ethernet Switch User Manual

Copyright © 2010 GE Security, Inc.

This document may not be copied in whole or in part or otherwise reproduced without prior written consent from GE Security, Inc., except where specifically permitted under US and international copyright law.

Disclaimer The information in this document is subject to change without notice. GE Security, Inc. (“GE Security”) assumes no responsibility for inaccuracies or omissions and specifically disclaims any liabilities, losses, or risks, personal or otherwise, incurred as a consequence, directly or indirectly, of the use or application of any of the contents of this document. For the latest documentation, contact your local supplier or visit us online at www.gesecurity.com.

This publication may contain examples of screen captures and reports used in daily operations. Examples may include fictitious names of individuals and companies. Any similarity to names and addresses of actual businesses or persons is entirely coincidental.

Trademarks and patents GE and the GE monogram are trademarks of General Electric Company.

Other trade names used in this document may be trademarks or registered trademarks of the manufacturers or vendors of the respective products.

Intended use Use this product only for the purpose it was designed for; refer to the data sheet and user documentation for details. For the latest product information, contact your local supplier or visit us online at www.gesecurity.com.

FCC compliance This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. You are cautioned that any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

Regulatory information N4131

Manufacturer GE Security, Inc. HQ and regulatory responsibility: GE Security, Inc., 8985 Town Center Parkway, Bradenton, FL 34202, USA

EU authorized manufacturing representative: GE Security B.V., Kelvinstraat 7, 6003 DH Weert, The Netherlands

European Union directives

2002/96/EC (WEEE directive): Products marked with this symbol cannot be disposed of as unsorted municipal waste in the European Union. For proper recycling, return this product to your local supplier upon the purchase of equivalent new equipment, or dispose of it at designated collection points. For more information see: www.recyclethis.info.

Contact information For contact information see our Web site: www.gesecurity.com.

For contact information see our Web site: www.gesecurity.eu.

http://www.gesecurity.com/

GE-DS-242-PoE Managed Ethernet Switch User Manual i

Content

Chapter 1 Introduction 1 Package Contents 2 Product Description 2 How to Use this Manual 3 Product Features 4 Product Specifications 7

Chapter 2 Installation 11 Hardware Description 12 Switch Installation 15

Chapter 3 Switch Management 21 Requirements 22 Management Access Overview 22 Web Management 23 SNMP-Based Network Management 25 Administration Console 25 Protocols 27 Management Architecture 28

Chapter 4 Web-Based Management 29 About Web-based Management 29 System 34 VLAN Configuration 54 Rapid Spanning Tree 69 Trunking 81 Forwarding and Filtering 88 IGMP Snooping 91 QoS Configuration 96 Access Control List 102 MAC Limit 107 802.1X Configuration 109 Power Over Ethernet 116

Chapter 5 Console Management 121 Login in the Console Interface 121 Configure IP address 123 Commands Level 125

ii GE-DS-242-PoE Managed Ethernet Switch User Manual

Chapter 6 Command Line Interface 127 Operation Notice 127 System Commands 128 Switch Static Configuration 129 Trunk Configuration 135 VLAN Configuration 138 Misc Configuration 147 Administration Configuration 149 MAC limit 154 Port Mirroring Configuration 155 Quality of Service 156 MAC Address Configuration 159 STP/RSTP Commands 162 SNMP 167 IGMP 171 802.1x Protocol 173 Access Control List 177 Binding 182 Power over Ethernet Commands 184

Chapter 7 Switch Operation 191

Chapter 8 Power Over Ethernet Overview 193 What is PoE? 193

Chapter 9 Troubleshooting 201

Appendix A RJ-45 Pin Assignment 203 Switch's RJ-45 Pin Assignments 203 10/100Mbps, 10/100Base-TX 204

GE-DS-242-PoE Managed Ethernet Switch User Manual 1

Chapter 1 Introduction

The GE Security GE-DS-242-PoE offers 24 10/100Mbps Fast Ethernet ports with 2 Gigabit TP/SFP combo ports (Port-25, 26). The two Gigabit TP/SFP combo ports can be either 1000Base-T for 10/100/1000Mbps or 1000Base-SX/LX through SFP (Small Form-Factor Pluggable) interface. The GE-DS-242-PoE has a high performance switch architecture that is capable of providing non-blocking switch fabric and wire-speed throughput as high as 8.8Gbps. Its two built-in GbE uplink ports also offer incredible extensibility, flexibility and connectivity to the Core switch or Server.

The PoE in-line power following the standard IEEE 802.3af makes the GE-DS-242-PoE able to power on 24 PoE devices at the distance up to 100 meters through the 4-pair Cat 5/5e UTP wire.

Chapter 1: Introduction

2 GE-DS-242-PoE Managed Ethernet Switch User Manual

Package Contents

What’s in the box Open the Managed Switch box and carefully unpack it. The box should contain the following items:

The Managed Switch x1

User’s manual CD x1

Installation Sheet x1

19” Rack mount accessory kit x1

Power cord x1

Rubber feet X4

RS-232 cable x1

If any of these are missing or damaged, please contact your dealer immediately. If possible, retain the carton including the original packing material, and use them to repack the product in case there is a need to return it.

Product Description

High Performance Wire-Speed Switching

The GE Security GE-DS-242-PoE Managed Switch offers 24 Ethernet ports with 2 Gigabit TP / SFP combo ports (Port-25, 26). The type 24 Fast Ethernet ports of GE-DS-242-PoE are 10 / 100Base-TX copper (RJ-45). These two Gigabit TP / SFP combo ports of all models can be either 1000Base-T for 10/100/1000Mbps or 1000Base-SX/LX through SFP (Small Form-factor Pluggable) interface. The distance can be extended from 100 meters (TP), 550 meters (Multi-mode fiber), up to above 10/50/70/120 kilometers (Single-mode fiber).

The series Managed Switch boasts a high performance switch's architecture that is capable of providing non-blocking switch fabric and wire-speed throughput as high as 8.8Gbps. Its two built-in GbE uplink ports also offer incredible extensibility, flexibility and connectivity to the Core switches or Servers.



Power Over Ethernet

The PoE in-line power following the standard IEEE 802.3af makes the GE-DS-242-PoE able to power on 24 PoE devices at a distance of up to 100 meters through the 4-pair Cat 5/5e UTP wire.

Cost-effective solution with SNMP monitor for Network deployment

GE Security releases the cost-effective Managed Switch not only for catering to the need of easy WEB-based management, but also the centralized SNMP application to monitor the status of Switch and traffic per port. The key features are:

• WEB / SSL / Telnet

• 802.1Q / Q-in-Q VLAN

• Rapid Spanning Tree

• IGMP Snooping

• 802.1X Authentication / RADIUS

• Access Control List

• SNMP and 4 RMON groups

How to Use this Manual This User Manual is structured as follows:

Section Section Content

INTRODUCTION Product description with features and specifications

INSTALLATION Explains the functions of the Managed Switch, and how to physically install the Managed Switch

SWITCH MANAGEMENT Contains information about the software function of the Managed Switch

WEB CONFIGURATION Explains how to manage the Managed Switch by Web interface

CONSOLE MANAGEMENT Describes how to use the Console management interface

COMMAND LINE INTERFACE

Explains how to manage the Managed Switch by Command Line interface

SWITCH OPERATION Explains how to operate the Managed Switch

POWER OVER ETHERNET OVERVIEW

Introduces the IEEE 802.3af PoE standard and PoE provision of the Managed Switch.

TROUBLESHOOTING Explains how to troubleshoot the Managed Switch

APPENDIX A Contains cable information for the Managed Switch



Product Features • Physical Port

o 24-Port 10/100Base-TX RJ-45 with PoE Injector

o 2-Port Gigabit TP/SFP combo interfaces

o Reset button for system management

o 1 RS-232 male DB9 console interface for Switch basic management and setup

• Layer 2 Features

o Complies with the IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3z Gigabit Ethernet standard

o High performance Store and Forward architecture, broadcast storm control, runt/CRC filtering eliminates erroneous packets to optimize the network bandwidth

o 8K MAC Address Table, automatic source address learning and ageing

o Support VLANs:

IEEE 802.1Q Tag-Based VLAN

Up to 255 VLANs groups, out of 4096 VLAN IDs

Port-Based VLAN

Q-in-Q tunneling (Double Tag VLAN)

o Supports Link Aggregation

Up to 13 Trunk groups

Up to 8 ports per trunk group with 1.6Gbps bandwidth (Full Duplex mode)

IEEE 802.3ad LACP (Link Aggregation Control Protocol)

Cisco ether-Channel (Static Trunk)

o Support Spanning Tree Protocol:

STP, IEEE 802.1D (Classic Spanning Tree Protocol)

RSTP, IEEE 802.1w (Rapid Spanning Tree Protocol)

• Quality of Service

o 4 priority queues on all switch ports

o Traffic classification:



IEEE 802.1p Class of Service

IP TOS / DSCP code priority

Port Base priority

o Strict priority and weighted round robin (WRR) CoS policies

o Ingress/Egress Bandwidth control on each port

• Multicast

o IGMP Snooping v1 and v2

o IGMP Query mode for Multicast Media application

o 256 multicast groups

• Security

o Layer 2 / 3 / 4 Access Control List (ACL)

o IEEE 802.1x Port-Based Authentication

o MAC address Filtering and MAC address Binding

o IP address security management to prevent unauthorized intruder

o Port Mirroring to monitor incoming or outgoing traffic on a particular port

• Management

o Switch Management Interface

Web switch management

Telnet Command Line Interface

SNMP v1, v2c switch management

Console local management

o SNMP Trap for alarm notification of events

o Four RMON groups 1, 2, 3, 9 (history, statistics, alarms, and events)

o Built-in Trivial File Transfer Protocol (TFTP) client

o Firmware upload / download via TFTP or HTTP

o Configuration upload / download via TFTP or HTTP

o Supports Ping function

• Power over Ethernet

o Complies with IEEE 802.3af Power over Ethernet End-Span PSE

o Up to 24 IEEE 802.3af devices powered

o Support PoE Power up to 15.4 watts for each PoE ports



o Auto detect powered device (PD)

o Circuit protection prevent power interference between ports

o Remote power feeding up to 100m

o PoE Management

Total PoE power budget control

Per port PoE function enable/disable

PoE Port Power feeding priority

Per PoE port power limit

PD classification detection

PoE Power Supply Over temperature Protection



Product Specifications

GE-DS-242-PoE

HARDWARE SPECIFICATIONS

10/100Mbps Copper Ports 24 10/100Base-TX RJ-45 Auto-MDI/MDI-X ports

1000Mbps Copper Ports 2 10/100/1000Base-T RJ-45 port

SFP/mini-GBIC Slots 2 SFP interfaces, shared with Port-25 and Port-26

Switch Architecture Store-and-Forward

Switch Fabric 8.8Gbps / non-blocking

Switch Throughput 6.547Mpps@64Bytes

Address Table 8K entries

Share Data Buffer 512Kbytes

Flash 4Mbytes

DRAM 16Mbytes

Maximum Frame Size 9K Bytes

Flow Control Back pressure (for Half-Duplex)

IEEE 802.3x Pause Frame (for Full-Duplex)

LED

Power, FAN Alarm

Link/Activity (Green)

PoE In-Use (Amber)

1000 LNK/ACT (Green)

10/100 LNK/ACT (Green)

Dimensions (W x D x H) 440 x 300 x 44 mm, 1U height

Weight 4.3kg

Power Requirement 100~240V AC, 50-60 Hz

Power Consumption 400 Watts (Full PoE Load)

Operating Temperature Standard: 0 to 50°C

Operating Humidity 10% to 90% (Non-condensing)

Storage Temperature -20 to +70°C

Layer 2 Functions

Management Interface Console, Telnet, Web Browser, SNMP v1, v2c



Port Configuration

Port disable/enable

Auto-negotiation 10/100Mbps full and half duplex mode selection

Flow Control disable / enable

Bandwidth control and broadcast storm filter on each port

Port Status Display each port's speed duplex mode, link status, flow control status, auto-negotiation status

VLAN Port-Based VLAN, up to 26 VLAN groups

IEEE 802.1q Tagged Based VLAN , 4K VLAN ID, up to 256 VLAN groups

Spanning Tree IEEE 802.1d Spanning Tree

IEEE 802.1w Rapid Spanning Tree

Link Aggregation

Static Port Trunk

IEEE 802.3ad LACP (Link Aggregation Control Protocol)

Supports 13 groups of 8-Port trunk support

Quality of Service

Traffic classification based on:

• Port-Based priority

• 802.1p priority

• IP DSCP/TOS field in IP Packet

IGMP Snooping v1 and v2

256 multicast groups and IGMP query

Bandwidth Control Per port ingress/egress bandwidth control in steps of128Kbps

Port Mirror RX / TX / Both

Security

802.1x Port-Based Network access control

MAC Limit

Static MAC

MAC Filtering

Access Control List Supports up to 220 rule entries

SNMP MIBs

RFC-1157 SNMP MIB

RFC-1213 MIB-II

RFC-1215 Trap

RFC-2863 Interface MIB

RFC-1493 Bridge MIB

RFC-2674 Extended Bridge MIB (Q-Bridge)

RFC-1643

Power over Ethernet

PoE Standard IEEE 802.3af Power over Ethernet / PSE



PoE Power Supply Type End-Span

PoE Power Output Per Port 48V DC, 350mA . Max. 15.4 watts

Power Pin Assignment 1/2(+), 3/6(-)

PoE Power Budget 380 Watts

Max. number of Class 2 PD 24

Max. number of Class 3 PD 24

Standards Conformance

Safety FCC Part 15 Class A, CE

Standards Compliance

IEEE 802.3 10Base-T

IEEE 802.3u 100Base-TX

IEEE 802.3z Gigabit SX/LX

IEEE 802.3ab Gigabit 1000Base-T

IEEE 802.3x Flow Control and Back pressure

IEEE 802.1d Spanning tree protocol

IEEE 802.1w Rapid spanning tree protocol

IEEE 802.1p Class of service

IEEE 802.1Q VLAN Tagging

IEEE 802.1x Port Authentication Network Control

IEEE 802.3af Power over Ethernet

Cable-Fiber-optic cable

• 50 / 125µm or 62.5 / 125µm multi-mode fiber cable:

- 100Base-FX: up to 2km

- 1000Base-SX: up to 220/550m

• 9 / 125µm single-mode cable, provides long distance for:

- 100Base-FX: up to 10/40/60km (vary on fiber transceiver or SFP module)

- 1000Base-LX / ZX: 10 / 15 / 20 / 30 / 40 / 50 / 60 / 70 / 120km (vary on fiber transceiver or SFP module)


Chapter 2 Installation

This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount.

For easier management and control of the Managed Switch, familiarize yourself with its display indicators and ports. Front panel illustrations in this chapter display the unit’s LED indicators.

Read this chapter completely before connecting any network device to the Managed Switch.

Chapter 2: Installation


Hardware Description

Switch Front Panel The Switches front panel provides a simple interface for monitoring the Managed Switch. Figure 2-1 shows the front panel of the Managed Switch.

Figure 2-1: GE-DS-242-PoE Switch front panel

10/100Mbps TP Interface

Port-1~Port-24: 10/100Base-TX Copper, RJ-45 Twist-Pair: Up to 100 meters.

Gigabit TP Interface

Port-25, Port-26: 10/100/1000Base-T Copper, RJ-45 Twist-Pair: Up to 100 meters.

Gigabit SFP Slots

Port-25, Port-26: 1000Base-SX/LX mini-GBIC slot, SFP (Small Form-Factor Pluggable) transceiver module: from 550 meters (Multi-mode fiber), up to 10/30/50/70/120 kilometers (Single-mode fiber).

Console Port

The console port is a DB9, RS-232 male serial port connector. It is an interface for connecting a terminal directly. Through the console port, it provides rich diagnostic information includes IP Address setting, factory reset, port management, link status and system setting. Users may use the attached RS-232 cable in the package and connect to the console port on the device. After the connection, users may run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to enter the device’s startup screen.



Reset button

At the left of front panel, the Reset button is designed to reboot the Managed Switch without turning the power off. The following table summarizes the Reset button functions:

Reset Button Pressed and Released Function

About 1~3 seconds Reboots the Managed Switch

Until the PWR LED goes out

Resets the Managed Switch to Factory Default configuration. The Managed Switch will then reboot and load the default settings as below:

• Default Password: admin

• Default IP address: 192.168.0.100

• Subnet mask: 255.255.255.0

• Default Gateway: 192.168.0.254

LED Indicators The front panels LEDs indicate instant status of port links, data activity and system power. They help monitor the system and aid in troubleshooting when necessary. The front panel LEDs are shown in Figure 2-2.

Figure 2-2: GE-DS-242-PoE LED panel



• System LED Color Function

PWR Green Lit: indicates there is power to the Switch

• Per 10/100Base-TX, PoE interfaces (Port-1 to Port-24) LED Color Function

LNK/ACT Green

Lit: indicates the link through that port is successfully established

Blink: indicares the Switch is actively sending or receiving data over that port

PoE In Use Orange Lit: indicates the port is providing 48VDC in-line power

Off: indicates the connected device is not a PoE Powered Device (PD)

• Per 10/100/1000Base-T port/SFP interfaces LED Color Function

LNK/ACT 1000 Green

Lit: indicates the port is operating at 1000Mbps

Off: indicates the port is operating at 10Mbps or 100Mbps

Blink: indicates the Switch is actively sending or receiving data over that port

LNK/ACT 100 Green

Lit: indicates the port is operating at 100Mbps

Off: indicates the port is operating at 10Mbps or 1000Mbps

Blink: indicates the Switch is actively sending or receiving data over that port

NOTE:

1. Press the RESET button once. The Switch will reboot automatically.

2. Press the RESET button for about 10 seconds. The Switch will revert to the factory default mode; the entire configuration will be erased.

3. The 2 Gigabit TP/SFP combo ports are shared with port 25/26 of GE-DS-242-PoE. Both of them can operate at the same time.



Switch Rear Panel The rear panel of the Managed Switch includes an AC inlet power socket, which accepts input power from 100 to 240VAC, 50-60 Hz. Figure 2-3 shows the rear panel of the Managed Switch.

Figure 2-3: GE-DS-242-PoE Rear panel

23

POWER NOTICE:

1. The Managed Switch is a power-required device: it will not work unless it is receiving power. If your networks must be active at all times, it is recommended that the Switch be connected to a UPS (Uninterruptable Power Supply) to prevent data loss or downtime.

2. In some areas, installing a surge suppression device may also help protect your Managed Switch from being damaged by unregulated power surges or current to either the Switch or the power adapter.

Switch Installation This text describes how to install the Managed Switch and connect it as necessary. Please read the following instructions, and perform the procedures in the listed order.

Desktop/Shelf Installation

NOTE: Refer to the environmental restrictions listed in the Product Specifications when selecting a location for the Managed Switch.

Step 1: Attach the rubber feet to the recessed areas on the bottom of the Managed Switch.

Step 2: Place the Managed Switch on a desktop or shelf near an AC power source, as shown in Figure 2-4.



Step 3: Ensure there is enough ventilation space between the Managed Switch and surrounding objects.

Figure 2-4: Typical placement of GE-DS-242-PoE on desktop

NOTE: Connection to the Managed Switch requires UTP Category 5 network cabling with RJ-45 tips. Refer to the Cabling Specification in Appendix A for further information.

Step 4: Connect the Managed Switch to network devices.

A. Connect one end of a standard network cable to the 10/100/1000 RJ-45 ports on the front of the Managed Switch.

B. Connect the other end of the cable to the network devices (printer servers, workstations, routers etc).

Step 5: Connect the Managed Switch to supply power.

A. Connect socket end of the power cable to the socket on the Managed Switch rear panel.

B. Connect the power cable plug to a standard wall outlet.

C. Switch the power switch on the rear panel to ON.

When the Managed Switch receives power, the Power LED should light and remain solid Green.

Rack-mount Installation Use the following instructions to install the Managed Switch in a 19-inch standard rack.



Step 1: Place the Managed Switch on a hard flat surface, with the front panel positioned towards the front.

CAUTION: Use only the screws supplied with the mounting brackets. Damage caused by using incorrect screws will invalidate the warranty.

Step 2: Attach the rack-mount bracket to each side of the Managed Switch. Use the supplied screws attached to the package.

Figure 2-5 shows how to attach brackets to one side of the Managed Switch.

Figure 2-5: Attaching rack-mount brackets to the GE-DS-242-PoE

Step 3: Secure the brackets tightly, but do not overtighten screws.

Step 4: Follow the same steps to attach the second bracket to the opposite side.

Step 5: After the brackets are attached to the Managed Switch, use suitable screws to securely attach the brackets to the rack, as shown in Figure 2-6.

Figure 2-6: Mounting the GE-DS-242-PoE in a rack



Step 6: Follow steps 4 and 5 of the Desktop Installation section to connect the network cabling and supply power to the Managed Switch.

SFP Transceiver Installation This section describes how to insert an SFP transceiver into an SFP slot.

SFP transceivers are hot pluggable and hot swappable. You can insert and remove a transceiver to and from any SFP port without powering down the Managed Switch, as shown in Figure 2-7.

Figure 2-7: Plugging-in the SFP transceiver

Approved GE Security SFP Transceivers

The Managed Switch supports both single-mode and multi-mode SFP transceivers. The following list of approved GE Security SFP transceivers is correct at the time of publication:

1000Base-SX/LX SFP transceiver:

• SFP1000SX-220 SFP (1000BASE-SX SFP transceiver - Multi mode / 220m)

• SFP1000LX-10Km SFP (1000BASE-LX SFP transceiver - Single Mode / 10km)

NOTE: It is recommended that only approved GE Security SFP transceivers be used on the Managed Switch. If you insert an SFP transceiver that is not supported, the Switch will not recognize it.



Before connecting the other switches, workstations or Media Converter:

1. Make sure both sides of the SFP transceiver are the same media type (for example: 1000Base-SX to 1000Base-SX, 1000Bas-LX to 1000Base-LX).

2. Verify that the fiber-optic cable type matches the SFP transceiver model.

• To connect to the 1000Base-SX SFP transceiver, use multi-mode fiber cable (one side must be male duplex LC connector type).

• To connect to the 1000Base-LX SFP transceiver, use single-mode fiber cable (one side must be male duplex LC connector type).

Connect the fiber cable:

1. Attach the duplex LC connector on the network cable into the SFP transceiver.

2. Connect the other end of the cable to a device (switches with SFP installed, fiber NIC on a workstation, or a Media Converter).

3. Check the LNK/ACT LED of the SFP slot on the front of the Switch. Ensure that the SFP transceiver is operating correctly.

4. Check the Link mode of the SFP port if the link failed. Co works with some fiber-NICs or Media Converters, set the Link mode to "1000 Force" is needed.

Remove the transceiver module

1. Make sure there is no network activity by consult or check with the network administrator, or through the management interface of the switch/converter (if available) to disable the port in advance.

2. Remove the Fiber Optic Cable gently.

3. Turn the handle of the MGB module to horizontal.

4. Pull out the module gently through the handle.



Figure 2-8: Pulling out the SFP transceiver

CAUTION: Never pull out the module without pulling the handle or the push bolts on the module. Pulling out the module with too much force could damage the module and SFP module slot of the Managed Industrial Switch.


Chapter 3 Switch Management

This chapter explains the methods that you can use to configure management access to the Managed Switch. It describes the types of management applications and the communication and management protocols that deliver data between your management device (work-station or personal computer) and the system. It also contains information about port connection options.

This chapter covers the following topics:

• Requirements

• Management Access Overview

• Administration Console Access

• Web Management Access

• SNMP Access

• Standards, Protocols, and Related Reading.

Chapter 3: Switch Management


Requirements • Workstations of subscribers running Windows 98/ME, NT4.0, 2000/XP, MAC OS9 or

later, Linux, UNIX or other platform compatible with TCP/IP protocols.

• Workstation installed with Ethernet NIC (Network Interface Card)

• Ethernet Port connection

• Network cables - Use standard network (UTP) cables with RJ45 connectors.

• Above Workstation installed with WEB Browser and JAVA runtime environment Plug-in

• Serial Port connection

• Above PC with COM Port (DB-9 / RS-232) or USB-to-RS-232 converter

NOTE: We recommended Internet Explore 6.0 or above to access the Managed Switch.

Management Access Overview The Managed Switch gives you the flexibility to access and manage it using any or all of the following methods:

• Web browser interface

• An external SNMP-based network management application

• The Administration Console

The Administration Console and Web browser interface support are embedded in the Managed Switch software and are available for immediate use. Each of these management methods has their own advantages and disadvantages. Table 3-1 compares the three management methods.



Table 3-1: Management Methods Comparison

Method Advantages Disadvantages

Web Browser • Ideal for configuring the switch remotely

• Compatible with all popular browsers

• Can be accessed from any location

• Most visually appealing

• Security can be compromised (hackers need only know the IP address and subnet mask)

• May encounter lag times on poor connections

SNMP Agent • Communicates with switch functions at the MIB level

• Based on open standards

• Requires SNMP manager software

• Least visually appealing of all three methods

• Some settings require calculations

• Security can be compromised (hackers need only know the community name)

Console • No IP address or subnet needed

• Text-based

• Telnet functionality and HyperTerminal built into Windows 95/98/NT/2000/ME/XP operating systems

• Secure

• Must be near switch or use dial-up connection

• Not convenient for remote users

• Modem connection may prove to be unreliable or slow

Web Management The Managed Switch offers management features that allow users to manage the Managed Switch from anywhere on the network through a standard browser such as Microsoft Internet Explorer. After you set up your IP address for the switch, you can access the Managed Switch's Web interface applications directly in your Web browser by entering the IP address of the Managed Switch.

You can then use your Web browser to list and manage the Managed Switch configuration parameters from one central location, just as if you were directly connected to the Managed Switch's console port. Web Management requires either Microsoft Internet Explorer 6.0 or later, Safari or Mozilla Firefox 2.0 or later.



Figure 3-1: Web management setup

Figure 3-2: Web main screen of Managed Switch



SNMP-Based Network Management You can use an external SNMP-based application to configure and manage the Managed Switch, such as SNMPc Network Manager, HP Openview Network Node Management (NNM) or What'sup Gold. This management method requires the SNMP agent on the switch and the SNMP Network Management Station to use the same community string. This management method, in fact, uses two community strings: the get community string and the set community string. If the SNMP Net-work management Station only knows the set community string, it can read and write to the MIBs. However, if it only knows the get community string, it can only read MIBs. The default gets and sets community strings for the Managed Switch are public.

Figure 3-3: SNMP management

Administration Console The administration console is an internal, character-oriented, and command line user interface for performing system administration such as displaying statistics or changing option settings. Using this method, you can view the administration console from a terminal, personal computer, Apple Macintosh, or workstation connected to the switch's console (serial) port.

There are two ways to use this management method: via direct access or modem port access. The following sections describe these methods. For more information about using the console, refer to Chapter 5: Console Management.



Figure 3-4: Console management setup

Direct Access Direct access to the administration console is achieved by directly connecting a terminal or a PC equipped with a terminal-emulation program (such as HyperTerminal) to the Managed Switch console (serial) port.

When using this management method, a straight DB9 RS-232 cable is required to connect the switch to the PC. After making this connection, configure the terminal-emulation program to use the following parameters:

• 57600 bps

• 8 data bits

• No parity

• 1 stop bit

Figure 3-5: Terminal parameter settings



You can change these settings, if desired, after you log on. This management method is often preferred because you can remain connected and monitor the system during system reboots. Also, certain error messages are sent to the serial port, regardless of the interface through which the associated action was initiated. A Macintosh or PC attachment can use any terminal-emulation program for connecting to the terminal serial port. A workstation attachment under UNIX can use an emulator such as TIP.

Protocols The Managed Switch supports the following protocols:

• Virtual terminal protocols, such as Telnet

• Simple Network Management Protocol (SNMP)

Virtual Terminal Protocols (Telnet) A virtual terminal protocol is a software program, such as Telnet, that allows you to establish a management session from a Macintosh, a PC, or a UNIX workstation. Because Telnet runs over TCP/IP, you must have at least one IP address configured on the Managed Switch before you can establish access to it with a virtual terminal protocol.

Terminal emulation differs from a virtual terminal protocol in that you must connect a terminal directly to the console (serial) port.

NOTE: See the Installation Sheet that came with this product for a Telnet step-by-step procedure using Hyper Terminal.

To access the Managed Switch through a Telnet session:

1. Be Sure of the Managed Switch is configured with an IP address and the Managed Switch is reachable from a PC.

2. Start the Telnet program on a PC and connect to the Managed Switch.

The management interface is exactly the same with RS-232 console management.

SNMP Protocol Simple Network Management Protocol (SNMP) is the standard management protocol for multi-vendor IP networks. SNMP supports transaction-based queries that allow the protocol to format messages and to transmit information between reporting



devices and data-collection programs. SNMP runs on top of the User Datagram Protocol (UDP), offering a connectionless-mode service.

Management Architecture All of the management application modules use the same Messaging Application Programming Interface (MAPI). By unifying management methods with a single MAPI, configuration parameters set using one method (console port, for example) are immediately displayable by the other management methods (for example, SNMP agent of Web browser).

The management architecture of the switch adheres to the IEEE open standard. This compliance assures customers that the Managed Switch is compatible with, and will interoperate with other solutions that adhere to the same open standard.


Chapter 4 Web-Based Management

Summary

This section introduces the configuration and functions of the Web-Based management.

About Web-based Management The Managed Switch offers management features that allow users to manage the Managed Switch from anywhere on the network through a standard browser such as Microsoft Internet Explorer.

The Web-Based Management supports Internet Explorer 6.0. It is based on Java Applets with an aim to reduce network bandwidth consumption, enhance access speed and present an easy viewing screen.

NOTE: By default, IE6.0 or later version does not allow Java Applets to open sockets. The user has to explicitly modify the browser setting to enable Java Applets to use network ports.

The Managed Switch can be configured through an Ethernet connection, make sure the manager PC must be set on same the IP subnet address with the Managed Switch.

For example, the default IP address of the Managed Switch is 192.168.0.100, then the manager PC should be set at 192.168.0.x (where x is a number between 1 and 254, except 100), and the default subnet mask is 255.255.255.0.

If you have changed the default IP address of the Managed Switch to 192.168.1.1 with subnet mask 255.255.255.0 via console, then the manager PC should be set at 192.168.1.x (where x is a number between 2 and 254) to do the relative configuration on manager PC.

Chapter 4: Web-Based Management


Requirements • Workstations of subscribers running Windows 98/ME, NT4.0, 2000/2003/XP, MAC

OS9 or later, Linux, UNIX or other platform compatible with TCP/IP protocols.

• Workstation installed with Ethernet NIC (Network Card).

• Ethernet Port connect

• Network cables - Use standard network (UTP) cables with RJ45 connectors.

• Above PC installed with WEB Browser and JAVA runtime environment Plug-in.

It is recommended to use Internet Explorer 6.0 or above to access the GE-DS-242-PoE Managed Switch.

Figure 4-1: Web management setup

Logging on to the Switch 1. Use Internet Explorer 6.0 or above Web browser. Enter the factory-default IP address to access the Web interface. The factory-default IP Address as following:

http://192.168.0.100

2. When the following login screen appears, please enter the default username "admin" with password "admin" (or the username/password you have changed via console) to login the main screen of Managed Switch. The login screen in Figure 4-2 appears.

Default User name: admin

Default Password: admin



Figure 4-2: Login screen

1. After entering the username and password, the main screen appears as Figure 4-3.

Figure 4-3: Web main page

2. The Switch Menu on the left of the Web page let you access all the commands and statistics the Switch provides.

Now, you can use the Web management interface to continue the switch management or manage the Managed Switch by Web interface. The Switch Menu on the left of the web page let you access all the commands and statistics the Managed Switch provides.



NOTE:

• We recommend using Internet Explorer 6.0 or above to access Managed Switch.

• A changed IP address take effect immediately after click on the Save button, you need to use the new IP address to access the Web interface.

• For security reason, please change and memorize the new password after this first setup.

• Only enter commands in lowercase letters in the web interface.

Main Web Page The Managed Switch provides a Web-based browser interface for configuring and managing it. This interface allows you to access the Managed Switch using the Web browser of your choice. This chapter describes how to use the Managed Switch's Web browser interface to configure and manage it.

Figure 4-4: Main page

Panel Display The web agent displays an image of the Managed Switch's ports. The Mode can be set to display different information for the ports, including Link up or Link down. Clicking on the image of a port opens the Port Statistics page.



The port states are illustrated as follows:

State Disabled Down Link

RJ-45 Ports

SFP Ports

PoE Ports

Main Menu Using the onboard web agent, you can define system parameters, manage and control the Managed Switch, and all its ports, or monitor network conditions. Via the Web-Management, the administrator can setup the Managed Switch by select the functions those listed in the Main Function. The screen in Figure 4-5 appears.

Figure 4-5: GE-DS-242-PoE Managed Switch Main Functions Menu



System Use the System menu items to display and configure basic administrative details of the Managed Switch. Under System the following topics are provided to configure and view the system information: This section has the following items:

System Information Provides basic system description, including contact information

IP Configuration Sets the IP address for management access

SNMP Configuration Configure SNMP agent and SNMP Trap

Firmware Upgrade Upgrade the firmware via TFTP server or Web Brower file transfer

Configuration Backup Save/view the Managed Switch configuration to remote host.

Upload the switch configuration from remote host.

Factory Default Reset the configuration of the Managed Switch

System Reboot Restarts the Managed Switch

System Information The System information page has two parts - Basic and Misc Config.

Basic

The Basic System Info page provides information for the current device information. Basic System Info page helps a switch administrator to identify the model name, firmware / hardware version and MAC address. The screen in Figure 4-6 appears.

Figure 4-6: Basic System Information screenshot



This page includes the following fields:

OBJECT DESCRIPTION

MODEL NAME Displays the system name of the Managed Switch

DESCRIPTION Describes the Managed Switch

MAC ADDRESS Displays the unique hardware address assigned by manufacturer (default)

FIRMWARE VERSION Displays the Managed Switch's firmware version

HARDWARE VERSION Displays the current hardware version

Misc Config

Choose Misc Config from System Information of Managed Switch, the screen in Figure 4-7 appears.

Figure 4-7: Switch Misc Config screenshot




OBJECT DESCRIPTION

MAC Address Age-out Time Type the number of seconds that an inactive MAC address remains in the switch's address table. The value is a multiple of 6.

Default is 300 seconds.

Broadcast Storm Filter Mode

To configure broadcast storm control, enable it and set the upper threshold for individual ports. The threshold is the percentage of the port's total bandwidth used by broadcast traffic. When broadcast traffic for a port rises above the threshold you set, broadcast storm control becomes active.

The valid threshold values are 1/2, 1/4, 1/8, 1/16 and OFF.

Default is "OFF".

Broadcast Storm Filter Packets Select

To select broadcast storm Filter Packets type. If no packets type by selected, mean can not filter any packets .The Broadcast Storm Filter Mode will show OFF.

The selectable items as below:

• Broadcast Packets

• IP Multicast

• Control Packets

• Flooded Unicast / Multicast Packets

Collision Retry Forever

Provide Collision Retry Forever function "Disable" or 16, 32, 48 collision numbers on Managed Switch. If this function is disabled, when a packet meet a collision, the Managed Switch will retry 6 times before discard the packets. Otherwise, the Managed Switch will retry until the packet is successfully sent.

Default value is 16.

Hash Algorithm Provide MAC address table Hashing setting on Managed Switch; available options are CRC Hash and Direct Map.

Default mode is CRC-Hash.

802.1x protocol Enable / disable 802.1x protocol

Apply button Press the button to complete the configuration.

IP Configuration The Managed Switch is a network device, which needs to be assigned an IP address for being identified on the network. Users have to decide a means of assigning IP address to the Managed Switch.



IP address overview

What is an IP address?

Each device (such as a computer) which participates in an IP network needs a unique "address" on the network. It's similar to having a US mail address so other people have a know way to send you messages. An IP address is a four byte number, which is usually written in "dot notation" - each of the bytes' decimal value is written as a number, and the numbers are separated by "dots" (aka periods). An example: 199.25.123.1

How do I get one for this box?

The IP addresses on most modern corporate nets are assigned by an employee called a "Network Administrator", or "Sys. Admin". This person assigns IP addresses and is responsible for making sure that IP addresses are not duplicated - If this happens one or both machines with a duplicate address will stop working.

Another possibility is getting your address assigned to you automatically over the net via DHCP protocol. Enable DHCP function, and reset the machine. If your network is set up for this service, you will get an IP address assigned over the network. If you don't get an address in about 30 seconds, you probably don't have DHCP.

IP Configuration

The IP Configuration includes the IP Address, Subnet Mask and Gateway. The Configured column is used to view or change the IP configuration. Fill up the IP Address, Subnet Mask and Gateway for the device. The screen in Figure 4-8 appears.



Figure 4-8: IP configuration interface


OBJECT DESCRIPTION

DHCP

Enable or disable the DHCP client function.

When DHCP function is enabled, the Managed Switch will be assigned an IP address from the network DHCP server. The default IP address will be replaced by the assigned IP address on DHCP server. After the user clicks Apply, a popup dialog shows up to inform the user that when the DHCP client is enabled, the current IP will lose and user should find the new IP on the DHCP server.

IP Address

Assign the IP address that the network is using.

If DHCP client function is enabled, this switch is configured as a DHCP client. The network DHCP server will assign the IP address to the switch and display it in this column.

The default IP is 192.168.0.100 or the user has to assign an IP address manually when DHCP Client is disabled.

Subnet Mask Assign the subnet mask to the IP address.

If DHCP client function is disabled, the user has to assign the subnet mask in this column field.

Gateway

Assign the network gateway for the switch.

If DHCP client function is disabled, the user has to assign the gateway in this column field.

The default gateway is 192.168.0.254.



SNMP Configuration

SNMP Overview

The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. It is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

Figure 4-9: SNMP configuration interface

An SNMP-managed network consists of four key components: Network management stations (NMSs), SNMP agents, Management information base (MIB) and network-management protocol:

• Network management stations (NMSs): Sometimes called consoles, these devices execute management applications that monitor and control network elements. Physically, NMSs are usually engineering workstation-caliber computers with fast CPUs, megapixel color displays, substantial memory, and abundant disk space. At least one NMS must be present in each managed environment.

• SNMP Agents: Agents are software modules that reside in network elements. They collect and store management information such as the number of error packets received by a network element.



• Management information base (MIB): A MIB is a collection of managed objects residing in a virtual information store. Collections of related managed objects are defined in specific MIB modules.

• Network-management protocol: A management protocol is used to convey management information between agents and NMSs. SNMP is the Internet community's de facto standard management protocol.

SNMP Overview

SNMP itself is a simple request/response protocol. NMSs can send multiple requests without receiving a response.

• Get -- Allows the NMS to retrieve an object instance from the agent.

• Set -- Allows the NMS to set values for object instances within an agent.

• Trap -- Used by the agent to asynchronously inform the NMS of some event. The SNMPv2 trap message is designed to replace the SNMPv1 trap message.

SNMP Community

An SNMP community is the group that devices and management stations running SNMP belong to. It helps define where information is sent. The community name is used to identify the group. A SNMP device or agent may belong to more than one SNMP community. It will not respond to requests from management stations that do not belong to one of its communities. SNMP default communities are:

• Write = private

• Read = public

System Options

Use this page to define management stations. You can also define a name, location, and contact person for the Managed Switch.



Figure 4-10: SNMP configuration interface


OBJECT DESCRIPTION

System Name

An administratively assigned name for this managed node. By convention, this is the node's fully-qualified domain name. A domain name is a text string drawn from the alphabet (A-Za-z), digits (0-9), minus sign (-). No space characters are permitted as part of a name. The first character must be an alpha character. And the first or last character must not be a minus sign.

The allowed string length is 0 to 255.

System Location The physical location of this node (e.g., telephone closet, 3rd floor).

The allowed string length is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.

System Contact

The textual identification of the contact person for this managed node, together with information on how to contact this person.

The allowed string length is 0 to 255, and the allowed content is the ASCII characters from 32 to 126.

SNMP Status

Indicates the SNMP mode operation. Possible modes are:

• Enabled: Enable SNMP mode operation.

• Disabled: Disable SNMP mode operation.



Community Strings

Community strings serve as passwords and can be entered as one of the following:

Figure 4-11: Community strings interface


OBJECT DESCRIPTION

Community Strings

Here you can define the new community string set and remove the unwanted community string.

• String: Fill the name string.

• RO: Read only. Enables requests accompanied by this community string to display MIB-object information.

• RW: Read/write. Enables requests accompanied by this community string to display MIB-object information and to set MIB objects.

ADD button Press the button to add the management SNMP community strings on the Managed Switch.

REMOVE button Press the button to remove the management SNMP community strings that you defined before on the Managed Switch.

Trap Managers

A trap manager is a management station that receives the trap messages generated by the switch. If no trap manager is defined, no traps will be issued. To define a management station as a trap manager, assign an IP address, enter the SNMP community strings, and select the SNMP trap version.

Figure 4-12: Trap managers interface




OBJECT DESCRIPTION

IP Address Enter the IP address of the trap manager.

Community Enter the community string for the trap station.

Firmware Upgrade It provides the functions allowing the user to update the switch firmware via the Trivial File Transfer Protocol (TFTP) server. Before updating, make sure the TFTP server is ready and the firmware image is located on the TFTP server.

TFTP Firmware Upgrade

The Firmware Upgrade page provides the functions to allow a user to update the Managed Switch firmware from the TFTP server in the network. Before updating, make sure you have your TFTP server ready and the firmware image is on the TFTP server. The screen in Figure 4-13 appears.

Use this menu to download a file from specified TFTP server to the Managed Switch.

Figure 4-13: Firmware Upgrade interface


OBJECT DESCRIPTION

TFTP Server IP Address Type in your TFTP server IP.

Firmware File Name Type in the name of the firmware image file to be updated.

HTTP Firmware Upgrade

The HTTP Firmware Upgrade page contains fields for downloading system image files from the Local File browser to the device. The Web Firmware Upgrade screen in Figure 4-14 appears.



Figure 4-14: HTTP Firmware Upgrade interface

To open Firmware Upgrade screen, perform the following:

1. Click System -> Web Firmware Upgrade.

2. The Firmware Upgrade screen is displayed as in Figure 4-14.

3. Click the "Browse" button of the main page, the Choose file window will appear.

4. Select the firmware file, then click the Open button to load the file.

The Firmware upgrade process takes several minutes. Please wait a while, and then manually refresh the webpage.

Configuration Backup

TFTP Restore Configuration

You can restore a previous backup configuration from the TFTP server to recover the settings. Before doing that, you must locate the image file on the TFTP server first and the Managed Switch will download back the flash image.



Figure 4-15: Configuration Restore interface


OBJECT DESCRIPTION


Restore File Name Type in the correct file name for restoring.

TFTP Backup Configuration

You can back up the current configuration from flash ROM to the TFTP server for the purpose of recovering the configuration later. It helps you to avoid wasting time on configuring the settings by backing up the configuration.

Figure 4-16: Configuration Backup interface




OBJECT DESCRIPTION


Backup File Name Type in the file name.

Factory Default Reset Switch to default configuration. Click the reset button to restore all configurations to the default value.

Figure 4-17: Factory Default interface



System Reboot Reboot the Switch with a software reset. Click the reboot button to reboot the system.

Figure 4-18: System Reboot interface



Port Configuration In Port control you can configure the settings of each port to control the connection parameters, the status of each port is listed below.

Figure 4-19: Port Control interface


OBJECT DESCRIPTION

Port Use the scroll bar and click on the port number to choose the port to be configured.

State Current port state. The port can be set to disable or enable mode. If the port state is set as 'Disable', it will not receive or transmit any packet.

Negotiation Auto and Force. Being set as Auto, the speed and duplex mode are negotiated automatically. When you set it as Force, you have to set the speed and duplex mode manually.

Speed It is available for selecting when the Negotiation column is set as Force. When the Negotiation column is set as Auto, this column is read-only.

Duplex It is available for selecting when the Negotiation column is set as Force. When the Negotiation column is set as Auto, this column is read-only.

Flow Control

Whether or not the receiving node sends feedback to the sending node is determined by this item. When enabled, once the device exceeds the input data rate of another device, the receiving device will send a PAUSE frame which halts the transmission of the sender for a specified period of time. When disabled, the receiving device will drop the packet if too much to process.



OBJECT DESCRIPTION

Rate Control

(Unit: 128KBbps)

Port-1 ~ Port-24, supports by-port ingress and egress rate control.

For example, assume port 1 is 10Mbps, users can set its effective egress rate at 1Mbps and ingress rate at 500Kbps. Device will perform flow control or backpressure to confine the ingress rate to meet the specified rate.

• Ingress: Type the port effective ingress rate.

The valid range is 0 ~ 8000. The unit is 128K.

0: disable rate control.

1 ~ 8000: valid rate value

• Egress: Type the port effective egress rate.

The valid range is 0 ~ 8000. The unit is 128K.

0: disable rate control.

1 ~8000: valid rate value.

Security

A port in security mode will be "locked" without permission of address learning. Only the incoming packets with SMAC already existing in the address table can be forwarded normally.

User can disable the port from learning any new MAC addresses, then use the static MAC addresses screen to define a list of MAC addresses that can use the secure port. Enter the settings, then click Apply button to change on this page.

BSF User can disable/Enable port broadcast storm filtering option by port.

The filter mode and filter packets type can be select in Switch Setting > Misc Config page.

Jumbo Frame User can disable/Enable port jumbo frame option by port. When port jumbo frame is enable, the port forward jumbo frame packet.



Port Status This page displays current port configurations and operating status - it is a ports' configurations summary table. Via the summary table, you can learn the status of each port at a glance, like Port Link Up/Link Down status, negotiation, Link Speed, Rate Control, Duplex mode and Flow Control.

Figure 4-20: Port Status interface



Port Statistics The following chart provides the current statistic information, which displays the real-time packet transfer status for each port. The user might use the information to plan and implement the network, or check and find the problem when the collision or heavy traffic occurs.

Figure 4-21: Port Statistics interface


OBJECT DESCRIPTION

Port The port number.

Link The status of linking-'Up' or 'Down'

State Set by Port Control. When the state is disabled, the port will not transmit or receive any packet.

Tx Good Packet The counts of transmitting good packets via this port.

Tx Bad Packet The counts of transmitting bad packets (including undersize [less than 64 octets], oversize, CRC Align errors, fragments and jabbers packets) via this port.

Rx Good Packet The counts of receiving good packets via this port.

Rx Bad Packet The counts of receiving good packets (including undersize [less than 64 octets], oversize, CRC error, fragments and jabbers) via this port.

Tx Abort Packet The aborted packet while transmitting.

Packet Collision The counts of collision packet.



OBJECT DESCRIPTION

Packet Dropped The counts of dropped packet.

Rx Bcast Packet The counts of broadcast packet.

Rx Mcast Packet The counts of multicast packet.

Port Sniffer The Port Sniffer (mirroring) is a method for monitor traffic in switched networks. Traffic through a port can be monitored by one specific port. That is, traffic goes in or out a monitored port will be duplicated into sniffer port.

Figure 4-22: Port Mirror application

Configuring the port mirroring by assigning a source port from which to copy all packets and a destination port where those packets will be sent.



Figure 4-23: Port Sniffer interface


OBJECT DESCRIPTION

Sniffer Type

Select a sniffer mode:

• Disable

• Rx

• Tx

• Both

Analysis (Monitoring) Port It' means Analysis port can be used to see the traffic on another port you want to monitor. You can connect Analysis port to LAN analyzer or netxray.

Monitored Port The port you want to monitor. The monitor port traffic will be copied to Analysis port. You can select one monitor ports in the switch. User can choose which port that they want to monitor in only one sniffer type.

NOTE:

1. When the Mirror Mode set to RX or TX and the Analysis Port be selected, the packets to and from the Analysis Port will not be transmitted. The Analysis Port will accept only COPIED packets from the Monitored Port.

2. If you want to disable the function, you must select monitor port to none.



VLAN Configuration

VLAN Overview A Virtual Local Area Network (VLAN) is a network topology configured according to a logical scheme rather than the physical layout. VLAN can be used to combine any collection of LAN segments into an autonomous user group that appears as a single LAN. VLAN also logically segment the network into different broadcast domains so that packets are forwarded only between ports within the VLAN. Typically, a VLAN corresponds to a particular subnet, although not necessarily.

VLAN can enhance performance by conserving bandwidth, and improve security by limiting traffic to specific domains.

A VLAN is a collection of end nodes grouped by logic instead of physical location. End nodes that frequently communicate with each other are assigned to the same VLAN, regardless of where they are physically on the network. Logically, a VLAN can be equated to a broadcast domain, because broadcast packets are forwarded to only members of the VLAN on which the broadcast was initiated.

NOTE:

1. No matter what basis is used to uniquely identify end nodes and assign these nodes VLAN membership, packets cannot cross VLAN without a network device performing a routing function between the VLAN.

2. The Managed Switch supports IEEE 802.1Q VLAN. The port untagging function can be used to remove the 802.1 tag from packet headers to maintain compatibility with devices that are tag-unaware.

The Managed Switch supports IEEE 802.1Q (tagged-based) and Port-Base VLAN setting in web management page. In the default configuration, VLAN support is "802.1Q".

Port-based VLAN

Port-based VLAN limit traffic that flows into and out of switch ports. Thus, all devices connected to a port are members of the VLAN(s) the port belongs to, whether there is a single computer directly connected to a switch, or an entire department.

On port-based VLAN.NIC do not need to be able to identify 802.1Q tags in packet headers. NIC send and receive normal Ethernet packets. If the packet's destination lies on the same segment, communications take place using normal Ethernet protocols. Even though this is always the case, when the destination for a packet lies



on another switch port, VLAN considerations come into play to decide if the packet is dropped by the Switch or delivered.

IEEE 802.1Q VLANs

IEEE 802.1Q (tagged) VLAN are implemented on the Switch. 802.1Q VLAN require tagging, which enables them to span the entire network (assuming all switches on the network are IEEE 802.1Q-compliant).

VLAN allow a network to be segmented in order to reduce the size of broadcast domains. All packets entering a VLAN will only be forwarded to the stations (over IEEE 802.1Q enabled switches) that are members of that VLAN, and this includes broadcast, multicast and unicast packets from unknown sources.

VLAN can also provide a level of security to your network. IEEE 802.1Q VLAN will only deliver packets between stations that are members of the VLAN. Any port can be configured as either tagging or untagging. The untagging feature of IEEE 802.1Q VLAN allows VLAN to work with legacy switches that don't recognize VLAN tags in packet headers. The tagging feature allows VLAN to span multiple 802.1Q-compliant switches through a single physical connection and allows Spanning Tree to be enabled on all ports and work normally.

Any port can be configured as either tagging or untagging. The untagging feature of IEEE 802.1Q VLAN allows VLAN to work with legacy switches that don't recognize VLAN tags in packet headers. The tagging feature allows VLAN to span multiple 802.1Q-compliant switches through a single physical connection and allows Spanning Tree to be enabled on all ports and work normally.

Some relevant terms:

- Tagging - The act of putting 802.1Q VLAN information into the header of a packet.

- Untagging - The act of stripping 802.1Q VLAN information out of the packet header.

802.1Q VLAN Tags

The figure below shows the 802.1Q VLAN tag. There are four additional octets inserted after the source MAC address. Their presence is indicated by a value of 0x8100 in the Ether Type field. When a packet's Ether Type field is equal to 0x8100, the packet carries the IEEE 802.1Q/802.1p tag. The tag is contained in the following two octets and consists of 3 bits of user priority, 1 bit of Canonical Format Identifier (CFI - used for encapsulating Token Ring packets so they can be carried across Ethernet backbones), and 12 bits of VLAN ID (VID). The 3 bits of user priority are used by 802.1p. The VID is the VLAN identifier and is used by the 802.1Q standard. Because the VID is 12 bits long, 4094 unique VLAN can be identified.

The tag is inserted into the packet header making the entire packet longer by 4 octets. All of the information originally contained in the packet is retained.



802.1Q Tag

User Priority CFI VLAN ID (VID)

3 bits 1 bits 12 bits

TPID (Tag Protocol Identifier) TCI (Tag Control Information)

2 bytes 2 bytes

Preamble Destination Address Source Address VLAN TAG

Ethernet Type Data FCS

6 bytes 6 bytes 4 bytes 2 bytes 46-1517 bytes 4 bytes

The Ether Type and VLAN ID are inserted after the MAC source address, but before the original Ether Type/Length or Logical Link Control. Because the packet is now a bit longer than it was originally, the Cyclic Redundancy Check (CRC) must be recalculated. Adding an IEEE802.1Q Tag

Dest. Addr. Src. Addr. Length/E. type Data Old CRC

Dest. Addr. Src. Addr. E. type Tag Length/E. type Data New CRC

Priority CFI VLAN ID

Port VLAN ID

Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from one 802.1Q compliant network device to another with the VLAN information intact. This allows 802.1Q VLAN to span network devices (and indeed, the entire network - if all network devices are 802.1Q compliant).

Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use within the switch. If no VLAN are defined on the switch, all ports are then assigned to a default VLAN with a PVID equal to 1. Untagged packets are assigned the PVID of the port on which they were received. Forwarding decisions are based upon this PVID, in so far as VLAN are concerned. Tagged packets are forwarded according to the VID contained within the tag. Tagged packets are also assigned a PVID, but the PVID is not used to make packet forwarding decisions, the VID is.

Tag-aware switches must keep a table to relate PVID within the switch to VID on the network. The switch will compare the VID of a packet to be transmitted to the VID of the port that is to transmit the packet. If the two VID are different the switch will drop the packet. Because of the existence of the PVID for untagged packets and the VID

Original Ethernet

New Tagged Packet



for tagged packets, tag-aware and tag-unaware network devices can coexist on the same network.

A switch port can have only one PVID, but can have as many VID as the switch has memory in its VLAN table to store them.

Because some devices on a network may be tag-unaware, a decision must be made at each port on a tag-aware device before packets are transmitted - should the packet to be transmitted have a tag or not? If the transmitting port is connected to a tag-unaware device, the packet should be untagged. If the transmitting port is connected to a tag-aware device, the packet should be tagged.

Default VLANs

The Switch initially configures one VLAN, VID = 1, called "default." The factory default setting assigns all ports on the Switch to the "default". As new VLAN are configured in Port-based mode, their respective member ports are removed from the "default."

VLAN and Link Aggregation Groups

In order to use VLAN segmentation in conjunction with port link aggregation groups, you can first set the port link aggregation group(s), and then you may configure VLAN settings. If you wish to change the port link aggregation grouping with VLAN already in place, you will not need to reconfigure the VLAN settings after changing the port link aggregation group settings. VLAN settings will automatically change in conjunction with the change of the port link aggregation group settings.

Static VLAN Configuration A Virtual LAN (VLAN) is a logical network grouping that limits the broadcast domain. It allows you to isolate network traffic so only members of the VLAN receive traffic from the same VLAN members. Basically, creating a VLAN from a switch is logically equivalent of reconnecting a group of network devices to another Layer 2 switch. However, all the network devices are still plug into the same switch physically.

The Managed Switch supports Port-based and 802.1Q (Tagged-based) VLAN in web management page. In the default configuration, VLAN support is "802.1Q".



Figure 4-24: Static VLAN interface

NOTE:

1. No matter what basis is used to uniquely identify end nodes and assign these nodes VLAN membership, packets cannot cross VLAN without a network device performing a routing function between the VLAN.

2. The Switch supports Port-based VLAN and IEEE 802.1Q VLAN. The port untagging function can be used to remove the 802.1 tag from packet headers to maintain compatibility with devices that are tag-unaware.

Port-Based VLAN Packets can go among only members of the same VLAN group. Note all unselected ports are treated as belonging to another single VLAN. If the port-based VLAN enabled, the VLAN-tagging is ignored.

In order for an end station to send packets to different VLANs, it itself has to be either capable of tagging packets it sends with VLAN tags or attached to a VLAN-aware bridge that is capable of classifying and tagging the packet with different VLAN ID based on not only default PVID but also other information about the packet, such as the protocol.



Figure 4-25: Port-based VLAN interface

Create a VLAN and add member ports to it

1. Click the hyperlink "VLAN" \ "Static VLAN" to enter the VLAN configuration interface.

2. Select "Port Based VLAN" at the VLAN Operation Mode, to enable the port-based VLAN function.

3. Click " Add " to create a new VLAN group. See Figure 4-26 appears.

4. Type a name and Group ID for the new VLAN, the available range is 2-4094.

5. From the Available ports box, select ports to add to the Managed Switch and click Add .

6. Click Apply.

7. You will see the VLAN Group displays.

8. If the port-based VLAN groups list over one page, please click "Next Page" to view other VLAN groups on other page.

9. Use the "Delete" button to delete unwanted port-based VLAN groups

10. Use the " Edit" button to modify existing port-based VLAN groups.

By adding ports to the VLAN you have created one port-based VLAN group completely.



Figure 4-26: Static VLAN interface


OBJECT DESCRIPTION

VLAN Name Use this optional field to specify a name for the VLAN. It can be up to 16 alphanumeric characters long, including blanks.

Group ID You can configure the ID number of the VLAN by this item. This field is used to add VLANs one at a time. The VLAN group ID and available range is 2-4094.

Port Indicate port 1 to port 26.

Add Defines the interface as a Port-Based member of a VLAN. Member

Remove Forbidden ports are not included in the VLAN.

NOTE: All unselected ports are treated as belonging to another single VLAN. If the port-based VLAN is enabled, the VLAN-tagging is ignored.

802.1Q VLAN Tagged-based VLAN is an IEEE 802.1Q specification standard. Therefore, it is possible to create a VLAN across devices from different switch venders. IEEE 802.1Q VLAN uses a technique to insert a "tag" into the Ethernet frames. Tag contains a VLAN Identifier (VID) that indicates the VLAN numbers.

You can create and delete Tag-based VLAN. There are 256 VLAN groups to provide configure. Enable 802.1Q VLAN, the all ports on the switch belong to default VLAN, VID is 1. The default VLAN can't be deleted.



Understanding the nomenclature of the Switch

• IEEE 802.1Q Tagged and Untagged

Every port on an 802.1Q compliant switch can be configured as tagged or untagged.

Tagged Ports with tagging enabled will put the VID number, priority and other VLAN

information into the header of all packets that flow into those ports. If a packet has previously been tagged, the port will not alter the packet, thus keeping the VLAN information intact. The VLAN information in the tag can then be used by other 802.1Q compliant devices on the network to make packet-forwarding decisions.

Untagged Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into those ports. If the packet doesn't have an 802.1Q VLAN tag, the port will not alter the packet. Thus, all packets received by and forwarded by an untagging port will have no 802.1Q VLAN information. (Remember that the PVID is only used internally within the Switch). Untagging is used to send packets from an 802.1Q-compliant network device to a non-compliant network device.

Frame Income

Frame Leave Income Frame is tagged Income Frame is untagged

Leave port is tagged Frame remains tagged Tag is inserted

Leave port is untagged Tag is removed Frame remain untagged

VLAN Group Configuration

• VLAN Group Configuration

Figure 4-27: VLAN Group Configuration interface



1. Click the hyperlink "VLAN" \ "Static VLAN" to enter the VLAN configuration interface.

2. Select "802.1Q" in the VLAN Operation Mode, to enable the 802.1Q VLAN function.

3. Click Add to create a new VLAN group or Edit to management exist VLAN groups. Then the VLAN Group column appears.

4. Input a VLAN group ID and available range is 2-4094.

Figure 4-28: VLAN Group Configuration interface

5. Select specific port as member port. The screen in Figure 4-29 appears.



Figure 4-29: 802.1Q VLAN Setting Web Page screen


OBJECT DESCRIPTION

VLAN Name Use this optional field to specify a name for the VLAN. It can be up to 16 alphanumeric characters long, including blanks.

VLAN ID You can configure the ID number of the VLAN by this item. This field is used to add VLANs one at a time.

The VLAN group ID and available range is 2-4094.

Port Indicate port 1 to port 26.

Untag Packets forwarded by the interface are untagged.

UnTag Member Tag

Defines the interface as a tagged member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information.

6. After setup completed, please press "Apply" button to take effect.

7. Please press "Back" for return to VLAN configuration screen to add other VLAN group, the screen in Figure 4-28 appears.

8. If there are many groups that over the limit of one page, you can click Next to view other VLAN groups.

9. Use the Delete button to delete unwanted VLAN.

10. Use the Edit button to modify existing VLAN group.



NOTE: Enable 802.1Q VLAN, the all ports on the switch belong to default VLAN, VID is 1. The default VLAN can't be deleted.

VLAN Filter

• 802.1Q VLAN Port Configuration

This page is used for configuring the Switch port VLAN. The VLAN per Port Configuration page contains fields for managing ports that are part of a VLAN. The port default VLAN ID (PVID) is configured on the VLAN Port Configuration page. All untagged packets arriving to the device are tagged by the ports PVID.

This section provides 802.1Q Ingress Filter of each port from the Switch, the screen in Figure 4-30 appears.

Figure 4-30: 802.1Q Ingress filter interface




OBJECT DESCRIPTION

NO Indicate port 1 to port 26.

PVID

Set the port VLAN ID that will be assigned to untagged traffic on a given port. This feature is useful for accommodating devices that you want to participate in the VLAN but that don't support tagging.

The switch each port allows user to set one VLAN ID, the range is 1~255, default VLAN ID is 1.

The VLAN ID must as same as the VLAN ID that the port belong to VLAN group, or the untagged traffic will be dropped.

Ingress Filtering 1

Ingress filtering lets frames belonging to a specific VLAN to be forwarded if the port belongs to that VLAN.

Enable: Forward only packets with VID matching this port's configured VID.

Disable: Disable Ingress filter function.

Ingress Filtering 2

Drop untagged frame.

Disable: Acceptable all Packet.

Enable: Only packet with match VLAN ID can be permission to go through the port.

Apply button Press the button to save configurations.



802.1Q VLAN

IEEE 802.1Q Tunneling (Q-in-Q)

IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. This is accomplished by inserting Service Provider VLAN (SPVLAN) tags into the customer's frames when they enter the service provider's network, and then stripping the tags when the frames leave the network.

A service provider's customers may have specific requirements for their internal VLAN IDs and number of VLANs supported. VLAN ranges required by different customers in the same service-provider network might easily overlap, and traffic passing through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer would restrict customer configurations, require intensive processing of VLAN mapping tables, and could easily exceed the maximum VLAN limit of 4096.

The Managed Switch supports multiple VLAN tags and can therefore be used in MAN applications as a provider bridge, aggregating traffic from numerous independent customer LANs into the MAN (Metro Access Network) space. One of the purposes of the provider bridge is to recognize and use VLAN tags so that the VLANs in the MAN space can be used independent of the customers' VLANs. This is accomplished by adding a VLAN tag with a MAN-related VID for frames entering the MAN. When leaving the MAN, the tag is stripped and the original VLAN tag with the customer-related VID is again available.

This provides a tunneling mechanism to connect remote costumer VLANs through a common MAN space without interfering with the VLAN tags. All tags use EtherType 0x8100 or 0x88A8, where 0x8100 is used for customer tags and 0x88A8 are used for service provider tags.



In cases where a given service VLAN only has two member ports on the switch, the learning can be disabled for the particular VLAN and can therefore rely on flooding as the forwarding mechanism between the two ports. This way, the MAC table requirements are reduced.

Q-in-Q Port Setting

The QinQ VLAN \ QinQ Port Setting screen in Figure 4-31 appears.

Figure 4-31: Q-in-Q Port Setting interface


OBJECT DESCRIPTION

Enable Sets the Managed Switch to QinQ mode, and allows the QinQ tunnel port to be configured.

Disable The Managed Switch operates in its normal VLAN mode. QinQ

The default is for the Managed Switch to function in Disable mode.

QinQ TPID

The Tag Protocol Identifier (TPID) specifies the ethertype of incoming packets on a tunnel access port.

o 802.1Q Tag : 8100

o vMAN Tag : 88A8

Default : 802.1Q Tag.

Port QinQ Check: Sets the Port to QinQ mode. Or the port operates in its normal VLAN mode.

Default: Un-check.



OBJECT DESCRIPTION

Check Configures IEEE 802.1Q tunneling (QinQ) for an uplink port to another device within the service provider network.

QinQ Uplink Cancel Configures IEEE 802.1Q tunneling (QinQ) for a client

access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network.

Q-in-Q Tunnel Setting

Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported. The VLAN ranges required by different customers in the same service-provider network might overlap, and traffic of customers through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the VLAN limit (4096) of the IEEE 802.1Q specification.

Using the QinQ feature, service providers can use a single VLAN to support customers who have multiple VLANs. Customer VLAN IDs are preserved, and traffic from different customers is segregated within the

ge-ds-242-poe managed ethernet switch user...

Documents